Infosec 2015 – first thoughts.

This is my customary personal blog post on the Infosec Europe show. Specific articles may, or may not appear here later.

This year the show has moved to Olympia from the defunct Earls Court, which is is probably the best choice available. It’s made me nostalgic for the old Personal Computer World shows of the 1980’s. Except there’s not a lot of interesting technology here. The theme of the show seems to be governance and the IT Security industry – governance and compliance rather than solutions to real problems. It’s been the way things have been moving over the last few years, with the modern IT professional being hard pressed to know which end of a soldering iron to hold it by.

There were a few interesting new(-ish) ideas, and the bleedin’ obvious stuff being packed with a GUI and monetised.

Libra Esva is a good case in point. They’ve taken Linux, spamassassin, Clam-AV (and optional commercial AV products),together with extra filtering and firewall functionality of the kind an old-style UNIX admin would customise their rigs with, and created a virtual appliance with a good looking and easy-to-use front end for users to deploy on VMware and so on. Sure, it takes the fun out of it but it looked good.

ActiveDefence were on hand, offering to launch a DDoS attack on your infrastructure to see how good it was. What, how do you launch a realistic DdoS attack without a botnet? “We have our own, they said.” And they were serious. The service may not be unique, but it’s very rare (unless you hire a bunch of crims, of course – I’ll have to see how prices compare).

KnowBe4’s PR has been bombarding me with their name for a few weeks now; I had to see why. They’re a company after my own heart – they’re launching cyber-security awareness training and consultancy in the UK, at a level appropriate to users and at a price point where SMEs really have no excuse for not doing something about what I (and KnowB4, obviously) regard as one of the greatest threats. Call it spear phishing or human engineering attacks – the weak link is employees being duped. And the criminals are very sophisticated, so awareness is about the old defence.

I’m off to see some more people who seem to have re-invented the obvious, and put it on the market. They’re using honey-pots to capture IP addresses to dynamically configure firewalls, it appears. Quite what their angle is remains to be seen, but it’s presumably a better honey-pot than we’ve all be writing for years now.

Kids can review Kindle books in their parents’ names

Occasionally I write the odd review on Amazon products directly on Amazon. This is normally information I wish I had when I was looking for an item or book. Then, today, I was clicking about and came upon a list of things I’d written about:

AmazonReviews

Now I don’t remember reviewing E. Nesbit’s classic, and I prefer her Barnstable series anyway (although I doubt it’d be PC enough to make in to a film, so its merits are less widely appreciated).

So what’s going on here? And I certainly don’t remember reading “The Ugly Duckling”, illustrated or otherwise.

And then I realised – this was my daughter using a Kindle attached to my account. It appears that it’s possible to rate books from it directly, and this she has obviously done. In my name.

Her pronouncements as to their literary merit  may be valid, especially for someone her age, but this needs to be made clear.

I’ve sent some pointed feedback to Amazon on this point, and will wait to see what happens.

 

Microsoft’s Windows 10 Security Update Plan

The headlines on luser news media are all about Windows 10 being the last ever release of Windows. Apparently Microsoft’s plan is to issue incremental updates thereafter. As those in the know, know, this has always been the way. Microsoft only releases a new version when it wants to flog it to the punters as the next great thing, and it does this by giving the latest snapshot of the code a new name (e.g. Windows 7, Windows Vista). Okay, there have been major step-ups; for example Window 2000 was the marketing name for Windows NT 5.0 (ditching some of the disastrous code in Windows NT 4.x), then came 5.1 – sold to the public as XP. Windows Vista was the next re-write; technically it was Windows 6.0. Confusingly to the punters, 6.1 was flogged as 7 and Windows 8.0 and 8.1 were 6.2 and 6.3 respectively. The reality is that OEM versions of Windows appear frequently, to track the new hardware as it turns up in production machines. It’s only the retail customers that believe in these retail versions. So what is Microsoft really doing?

Well, one effect of having a retail version of Windows is that every three years the punters stop buying new PCs, waiting for the next “version”. As Microsoft actually makes a lot more of its revenue from selling OEM licenses (bundled with PCs) than the retail versions, keeping the hardware manufacturers happy by killing off the boom/bust cycle is probably A Good Thing.

Is Microsoft getting a bit humble, acknowledging that hardware makers have a choice and Windows isn’t the only game in town? I don’t believe they do; the punters want Windows on their desktop PCs, and that’s that. So what is in it for Microsoft?

The clue is in what Terry Myerson was saying at Ignite 2015 in Chicago last week. The new version of Windows will feature greatly enhanced on-line update capabilities, with peer-to-peer patch distribution and a lot more. Patch Tuesday is to be abolished, with updates rolled out on a continuous basis. And all in the name of security.

Let’s play devil’s advocate here, and pretend that Microsoft has other reasons. First off, Patch Tuesday, the monthly release of non-critical Windows updates in an ordered manner, will become obsolete. The policy was originally formulated to avoid patches coming out willy-nilly at odd times in the month and catching IT departments off-guard; and now they’re going back to the old chaotic system. A broken update can knock your IT systems out at any time of the day or night. If this sounds like a recipe for disaster, don’t despair – according to Terry Myerson, patches will be rolled out to the lucky home users first, which means that it can be pulled and business won’t be affected if an update screws up. Enterprise customers will still be given the choice as to which updates they install; it would have been a hard sell to knowledgable IT people otherwise.

Is this actually going to improve Windows security? Peer-to-peer patch distribution? 24/7 patches coming from Redmond as soon as they’re presumed ready? What could possibly go wrong?

Rather than looking at this as a security fix, I think the policy should be taken in to consideration alongside Microsoft’s move towards licensing, rather than selling, software. They want a continual revenue stream and they don’t like their software pirated. Who does? By moving to an OS model that requires the host to be Internet connected and constantly patching itself, it becomes much harder for cracked versions of the OS or applications to exist. (Microsoft’s own applications, that is). Peer-to-peer updates will make updates harder to block. If a crack turns up in the wild, the next day a patch to kill it can appear from Redmond. And if your stop paying the license fee, your copy of Windows stops working. This last aspect isn’t being talked about openly. I’m just guessing here. But considering Microsoft’s penchant for licensed/rented software of recent years, Windows 10 being released with a mechanism that appears ideal for licence enforcement should they ever decide to move to the rental business model, I think it’s a good guess.

Or it could simply be that Microsoft is panicking over the less-than-warm reception the world gave Windows 8/8.1 and had decided that releasing new retail versions frightens the horses.

Obama to end cyber-attacks

American president Barack Obama is so hacked off with cyber-attacks on US companies (and other interests) that he’s taken a step sure to send the perpetrators running for cover. In an executive order on the 1st of April, he created a new sanctions authority to have a go at anyone attacking the USA. In the statement announcing it he is quoted as saying “Cyber threats pose one of the most serious economic and national security challenges to the United States, and my administration is pursuing a comprehensive strategy to confront them”, describing it as a “national emergency”

Basically it gives the US Treasury Department to freeze the assets of any hackers suspected of attacking the US, in much the same way as it brings peace to places the Middle East and Ukraine. The criminals behind these attacks are no doubt quaking in their sneakers.

The decision to blame North Korea for the Sony attack told the world that the administration was getting tough, never mind the facts. And the Chinese, of course, deny state-sponsored naughtiness on an apparently daily basis.

The problem is, of course, that it’s somewhat difficult to actually figure out who’s behind an attack. Working out where an attack comes from is possible, and it’s usually from some hijacked computers used to obfuscate the origin. China and various other countries have a higher installed base of pirated software, which often comes with a built-in botnet, so of course attacks come from these places.

Initial opinion in the USA is divided between the law-makers, politicians and the non-technical cyber-security industry heralding it as the beginning of the end for international espionage gangs, and those of us who know now it works wondering if this is an April Fool.

One point I find intriguing, however, is whether this will have an effect on patent disputes. Apparently they’re worried about, and plan to apply these powers to, intellectual property theft. It seems to me that if some technology turned up in a competitor’s product and the American company went crying to the authorities they could have sanctions imposed on the foreign company, without any reasonable way of proving that any theft had taken place – or even who had it first. It could get messy.

 

 

Security certificates broken on Google Chrome 41

Don’t install the latest release of Google Chrome (41), released on Thursday (Friday UK time). They’ve messed up. Twice.

Broken SSL when talking to routers etc.

The first problem comes when accessing the web interface on a device such as a router over SSL (encrypted). Unfortunately, because the software in theses is embedded, the security certificate it uses isn’t going to match the name of the device you use to access it. This would be impossible – when it leaves the factory it hasn’t had its IP address assigned on your site; never mind the DNS entry. Previously browsers have allowed you to ignore this mis-match; the encryption works as long as you’re comfortable that you’re really talking what you think you are using some other check, and once the exception has been stored, this should be the end of the matter.

But not with Chrome release 41. Now it will show you the screen below:

ChromeMessedUp

If you ask for more details it doesn’t really give you much:

A secure connection cannot be established because this site uses an unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
This comes from a DrayTek 2820 modem/router, but the problem seems to exist on other networking kit.

More adverts too – and a malware backdoor

(Please see update below – there may be an innocent explanation for this)
As an extra surprise, those nice people seem to have found a way of blocking URL keyword filters used to keep adverts out from objectionable sources, circumventing methods of blocking Google’s syndicated advertising. I’m still researching this, but the way they appear to have done it means that embedded content from other sources than the site you’re looking at is extremely difficult to block.
It appears Google has done this to protect its revenue stream from adverts, with little regard from the site policies that may exist for reasons Google may not realise. But that’s not the worst of it: how long will it be before this feature of Chrome is used for drive-by downloads. If you’re firewall isn’t able to cross-check the source of the content on a page, it can be coming from anywhere.
Unfortunately there is no way of rolling back a bad version of Chrome. They really don’t like you doing that, however dangerous a release might be.
I have, of course, made urgent representations to the Chrome project but we will have to wait and see. In the mean time, all I can suggest is that you prevent Chrome from updating beyond version 40.

Update 2015-03-23
On further investigation, the updated Chrome isn’t doing a DNS lookup to find the Google ad-server. I’m unsure whether this is because it somehow cached the DNS results internally or whether its hard-wired. It certainly wasn’t using the system cache, but I know Chrome has kept its own cache in the past. If it is from an internal cache, the mechanism used to get the IP address in there in the first place is a mystery, however Google’s ad servers change from time to time and it’s not impossible that the perimeter firewall simply hadn’t kept up and allowed some through.

My next research will be looking more closely at the DNS traffic.

Yahoo plans to give up passwords

The latest scheme from Yahoo’s Crazy Ideas Department is to dispense with login passwords. Are they going to replace them with a certificate login or something more secure? Nope! The security-gaff prone outfit from Sunnyvale California has had the genius idea of sending a four-character one-time password to your mobile phone, according to an announcement they made at SXSW yesterday (or possibly today if you’re reading this in the USA).

According to Chris Stoned Stoner, their Product Development Director, the bright idea is to avoid the need to memorise difficult passwords by simply sending a new one, each time, to your registered mobile phone.

At first glance, this sounds a bit like the sensible two-factor authentication you find already: Log in using your password and an additional verification code is sent to your mobile. However, Yahoo has dispensed with the first part – logging in with your normal password. This means that anyone that has physical control of your mobile phone can now hijack your Yahoo account too. If your phone is locked, no matter – just retrieve the SMS using the SIM alone. No need to pwn Yahoo accounts the traditional way.

With an estimated 800,000 mobile phones nicked per year in the UK alone (Source inferred from ONS report) and about 6M handsets a year going AWOL in the USA, you’ve got to wonder what Yahoo was thinking.

Apart from the security risk, what are the chances of being locked out of your email simply because you’re out of mobile range (or if you’re phone has gone missing). Double whammy!

More comment spammer email analysis

Since my earlier post, I decided to see what change there had been in the email addresses used by comment spammers to register. Here are the results:

 

Freemail Service  %
hotmail.com 22%
yahoo.com 20%
outlook.com 14%
mailnesia.com 8%
gmail.com 6%
laposte.net 6%
o2.pl 3%
mail.ru 2%
nokiamail.com 2%
emailgratis.info 1%
bk.ru 1%
gmx.com 1%
poczta.pl 1%
yandex.com 1%
list.ru 1%
mail.bg 1%
aol.com 1%
solar.emailind.com 1%
inbox.ru 1%
rediffmail.com 1%
live.com 1%
more-infos-about.com 1%
dispostable.com <1%
go2.pl <1%
rubbergrassmats-uk.co.uk <1%
abv.bg <1%
fdressesw.com <1%
freemail.hu <1%
katomcoupon.com <1%
tlen.pl <1%
yahoo.co.uk <1%
acity.pl <1%
atrais-kredits24.com <1%
conventionoftheleft.org <1%
iidiscounts.org <1%
interia.pl <1%
ovi.com <1%
se.vot.pl <1%
trolling-google.waw.pl <1%

As before, domains with <1% are still significant; it’s a huge sample. I’ve only excluded domains with <10 actual attempts.

The differences from 18 months ago are interesting. Firstly, mailnesia.com has dropped from 19% to 6% – however this is because the spam system has decided to block it! Hotmail is also slightly less and Gmail and AOL are about the same. The big riser is Yahoo, followed by laposte.net (which had the highest percentage rise of them all). O2 in Poland is still strangely popular.

If you want to know how to extract the statistics for yourself, see my earlier post.

jpmoryan.com malware spam

Since about 2pm(GMT) today FJL has been intercepting a nice new zero-day spammed malware from the domain jpmoyran.com (domain now deleted). Obviously just one letter different from J P Morgan, the domain was set up in a fairly okay manner – it would pass through the default spamassassin criteria, although no SPF was added as it’s being sent out by a spambot.

The payload  was a file called jpmorgan.exe (spelled correctly!) with an icon that was similar to an Adobe PDF file. Is it malware? Well yes, but I’ve yet to analyse just what. It’s something new.

 

Text of the message is something like:

 

Please fill out and return the attached ACH form along with a copy of a voided check (sic).

Anna Brown
JPMorgan Chase
GRE Project Accounting
Vendor Management & Bid/Supervisor
Fax-602-221-2251
Anna.Brown@jpmchase.com
GRE Project Accounting

Be careful.

 

Update: 19:30

As a courtesy, I always let affected companies know they’re being attacked, with variable results. J P Morgan’s cyber security department in New York took about 30 minutes to get to; they couldn’t cope with the idea that (a) I was not in America; and (b) I wasn’t even a customer of theirs. I eventually ended up speaking to someone from the “Global(sic) Security Team” who told me that if I was a customer I didn’t need to worry about it, but I could sent it to abuse@… – and then put the phone down on me. This was an address for customers to send “suspicious” emails to. I doubt they’ll read it, or the malware analysis. If you’re a J P Morgan customer, you might want to have a word about their attitude.

Interesting security issue with Google Apps for Education

I’ve come across a feature of Google Apps for Education that people should really be aware of. It goes like this…

When a school or college signs up for Google Apps for Education, a single email account is used to register a local administrator. This administrator then has control over the sub-accounts, including creation, passwords and monitoring. This would be someone at the school you can trust, right? Because they have access to all your children’s data. And it’s only for school use, so where’s the problem?

Well here’s the problem: that data will probably include a GMail account, and they may not be using it for education-related matters. Creepy. Assuming you trust the monitor, do you snoop on the pupils for their own protection or leave it completely unmoderated, with all the implications for child safety. You’re between a rock and a hard place. By forcing pupils to use an insecure channel you’re responsible for the consequences: if you look you could be accused of voyeurism; if you don’t you can be accused of allowing abuse which you could have prevented.

And it gets worse, because you’re basically logging in using a Google Account. How many people log out when they’re finished? And if a child logs in on a home computer and someone else uses it afterwards without realising, the administrator at the school gets to snoop on data inadvertently added to the account by other members of the household.

Are you a parent, and were you aware of this? You are now!

If you’re a school, my advice is to (a) monitor the monitor; and (b) make sure children know to log out after use; and (c) make very sure that you have parents’ specific permission to allow their children to use the system, being aware of the above. If not and you end up monitoring someone you don’t have permission to (i.e. not your pupil), you’re probably looking at an offence under the Misuse of Computer Act 1990 in the UK, and a class action law suit in the USA. Remember that school in Philadelphia that took snapshots using students’ Macbook webcams without telling anyone? (Robbins v. Lower Merion School District). There was no suggestion of foul play, just naivety on the part of the school district. And it cost them $600K to settle, plus a great deal of embarrassment.

Do I have SoapSoap in my WordPress?

Apparently, 100,000 WordPress sites have been compromised by this nasty. It injects redirect code in to WordPress themes.

According to an analysis posted by  Tony Perez on his blog, it’s going to be easy to spot if you’re a server administrator as in injects the code:

php function FuncQueueObject()
{
wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts", 'FuncQueueObject');

In to wp-includes/template-loader.php

So,

find / -name template-loader.php -exec grep {} swfobject \;

should do the trick. I’m not a PHP nut, but I don’t think swfobject is common in that file.

Update: 06-Jan-2015

The web site linked to above has an on-line scanner that’s supposed to check for this problem, so I’ve just run it against this blog. It found something here. False positive, methinks! I’ve written to them pointing out that the search may be a little naive given the subject matter of that post! Fair play for providing such a tool free of charge though. It’s a little hard to see how such a scanner could work at all, but not pick up text lifted from a compromised site.